Win32/VB.IQ and Win32/VB.IQ.dr

Trojan:Win32/VB.IQ is a trojan downloader dropped by another malware detected as Trojan:Win32/VB.IQ.dr. It connects to certain web servers to download other malware.

Trojan:Win32/VB.IQ is dropped in the system by Trojan:Win32/VB.IQ.dr. It also drops a copy of itself as %windir%\bravo.exe.

Trojan:Win32/VB.IQ may drop and execute the following file:
%windir%\ppsap.exe

Upon execution, Trojan:Win32/VB.IQ.dr drops a copy of itself in the Windows folder as ppsap.exe. It then drops the file kimo.exe also in the Windows folder.

It then modifies the system registry so that kimo.exe and another file, bravo.exe, are automatically run when Windows starts:

Adds value: "civic"
With data: "%windir%\kimo.exe"
Adds value: "ppsap"
With data: "%windir%\bravo.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It then executes kimo.exe and bravo.exe, which are both detected as Trojan:Win32/VB.IQ.

Take note that Trojan:Win32/VB.IQ.dr does not drop bravo.exe but attempts to execute it, as it is assumed that bravo.exe is already in the system and possibly dropped by kimo.exe.

This ensures that Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ install each other.

Worm Win32.Zafi.B and its removal

The new internet worm Zafi.B spreads very fast mainly via email attachments, but also via filesharing networks.

The message subject and body text differs depending on the domain extension of the receiver's email address. Target email addresses are collected on the local computer and extracted from several files like temporary internet files and email address books.

Once the file has been executed, it will do following:

1. Creates mutex_Hazafibb
2. Prevents execution of the processes containing: regedit, msconfig, task, (eg: regedit, taskman, taskmon, mstask, msconfig)
3. Deletes the following files from Windows folder: fvprotect.exe winlogon.exe services.exe jammer2nd.exe
4. Checks if the computer is connected to the internet by attempting to contact google.com or microsoft.com
5. Searches for e-mail addresses in files matching: htm,wab,txt,dbx,tbb,asp,php,sht,adb,mbx,eml,pmr
6. Avoids e-mail addresses containing: win, use, info, help, admi, webm, micro, msn, hotm, suppor, syma, vir, trend, panda, yaho, cafee, sopho, google, kasper, msn, office, nero, icq, game, winra, winzi, divx, movie, total, wina
7. Stores found e-mail addresses in random named dll files in %SYSTEM% folder
8. Creates registry key and entries:
[HKEY_LOCAL_MACHINE\Software\Microsoft\_Hazafibb]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"_Hazafibb"="%SYSTEM%\%random%.exe"]
9. Uses it's own SMTP engine to send itself to harvested e-mails. Attempts to obtain a smtp server address by adding smtp. or mx. etc to the domain from the harvested address or uses a default smtp address.
10. Creates copies of the virus in folders containing "share" or "upload" as winamp 7.0 full_install.exe and/or Total Commander 7.0 full_install.exe
11. Creates a thread that attempts to flood: www.parlament.hu, www.virusbuster.hu, www.virushirado.hu, www.2f.hu
12. May create files C:\SYS.TXT and _upload.exe
13. The virus contains the following string:
A hajlektalanok elhelyezeset, a bunteto torvenyek szigoritasat, es a HALALBUNTETES MEGSZAVAZASAT koveteljuk a kormanytol, a novekvo bunozes ellen!2004, jun, Pecs,(SNAF Team).

Removal:

All antivirus vendors had protection for the Zafi.B worm with their latest updates. Symantec has a removal tool, and you could also use these free online scanners. Trend Micro's free online scanner, Housecall, McAfee's Stinger tool, or Panda Software's ActiveScan. F-secure has a removal tool available in several formats.

Because Zafi.B may disable or overwrite existing antivirus products on infected machines, users may need to use one of the removal utilities or scanners mentioned above. If your antivirus has been overwritten, you will need to reinstall it when your system is free of Zafi.

The main infection is removed by deleting files in the Windows system folder and removing registry entries. If you're not familiar with the Registry editor, you should probably use one of the removal tools mentioned above. While we highly recommend that you back up your registry before editing, you should be aware that the backup you make contains entries associated with Zafi.B. Since the files are deleted, you may get errors if you restore from the backup at a future date. Once your system has been cleaned, and is operating properly, you may want to delete the backup that has Zafi.B entries in it.

1. Turn off System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.
2. Restart the computer in Safe Mode. Since the Zafi.B worm creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean. In addition, Zafi.B blocks the use of Regedit which is required below.
3. Run a full system scan with an updated antivirus scanner (or one of the online scanners mentioned above). If your scanner does not remove everything, follow the next few steps.
4. IMPORTANT: Your antivirus software should, during detection, produce a list of files associated with the W32/Zafi.B or W32/Erkez virus (depends on scanner). The files will be copies of the worm stored in the Windows system folder and shared folders mentioned above. You should set your antivirus to delete them. If not, delete them manually.
5. Make a backup of the registry before you edit. Delete the Run entries associated with Zafi.B from the registry. These will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and delete the key:
"_Hazafibb"="%system%\.exe"
Also delete the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb
6. Exit the registry editor.
7. Re-enable System Restore, reboot machine.
8. Re-scan to be sure all files are clean.

Sources: Pcmag | BitDefender

win32.netsky.q virus in computer

The worm sends itself as an e-mail attachment to addresses found in the infected computer. It copies itself in the Windows directory as SysMonXP.exe and dropsto the same directory a DLL component: Firewalllogger.txt.

About netsky.q:

Netsky.Q is a worm that spreads through e-mail. It is distributed as a 28,008 byte Win32 executable, compressed with PEtite, which drops a 23,040 byte DLL file. It also distributes itself inside ZIP archives.It seems to be a self-replicating worm, it will continue to send out fake messages to people with the subject lines Like

* Delivery Error
* Delivery Failure
* Delivery
* Mail Delivery failure
* Mail Delivery System
* Mail System
* Delivery
* Delivered Message
* Error
* Status
* Failure
* Failed
* Unknown Exception
* Delivery Failed
* Deliver Mail
* Server Error
* Delivery Bot

And with each message there is the reciepts email address at the end. This worm seems to be spreading like wildfire today.

How to delete Win32/Netsky.Q worm files in Windows XP and Vista:

One of the ways to remove W32/Netsky.Q is by downloading specific removal tools availabe from Antivirus companies such as Symantec. Download this tool for auto removal of win32.netsky.q virus.

If you prefer to remove it manually from windows XP and Vista, follow these step:

1. First of all you need to delete Win32.NetSky.Q worm.
2. Go to "start menu" and click "search".
3. Click "all files and folders".
4. Type any file name in the search box and select “Local Hard Drives.”
5. Click “Search” and when you find the file delete it.

How to stop Win32.Netsky.Q worm processes:

1. Click the Start menu and select Run.
2. Type "taskmgr.exe and click "OK". You can also launch task manager ny pressing keys ALT + CTRL + DELETE or CTRL +Shift + ESC.
3. Click Processes tab, and find Win32/Netsky.Q worm processes.
4. Once you’ve found the Win32/Netsky.Q worm processes, right-click and select “End Process” to stop Win32/Netsky.Q worm.